Possible connections between WannaCry and Lazarus Group

May 16, 2017

On Monday, 15 May, a security researcher from Google posted an artefact on Twitter potentially pointing at a connection between the WannaCry ransomware attacks that recently hit thousands of organisations and private users around the world, and the malware attributed to the infamous Lazarus hacking group, responsible for a series of devastating attacks against government organisations, media and financial institutions.

The largest operations linked to the Lazarus group include: the attacks against Sony Pictures in 2014, the Central Bank of Bangladesh cyber heist in 2016 and a subsequent series of similar attacks continued in 2017.

The Google researcher pointed at a WannaCry malware sample which appeared in the wild in February 2017, two months before the recent wave of attacks. Kaspersky Lab’s GReAT researchers analysed this information, identified and confirmed clear code similarities between the malware sample highlighted by the Google researcher and the malware samples used by the Lazarus group in 2015 attacks.

According to Kaspersky Lab researchers, the similarity of course could be a false flag operation. However, the analysis of the February sample and comparison to WannaCry samples used in recent attacks shows that the code which points at the Lazarus group was removed from the WannaCry malware used in the attacks started last Friday. This can be an attempt to cover traces conducted by orchestrators of the WannaCry campaign.

Although this similarity alone doesn’t allow proof of a strong connection between the WannaCry ransomware and the Lazarus Group, it can potentially lead to new ones which would shed light on the WannaCry origin which to the moment remains a mystery.